Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stop bumping go directive unless necessitated by other dependencies #1899

Open
kaovilai opened this issue Dec 24, 2024 · 0 comments
Open

Stop bumping go directive unless necessitated by other dependencies #1899

kaovilai opened this issue Dec 24, 2024 · 0 comments

Comments

@kaovilai
Copy link

Stop bumping go directive unless necessitated by other dependencies

There is nothing necessitating this bump.


❯ go mod graph | grep [email protected]

github.com/sigstore/fulcio [email protected]

[email protected] [email protected]

The minimum should be 1.23.3 without fulcio's own bump.

Stop the minimum virus :D

This repo by itself should not be enforcing minimum on other repositories importing it. Stop spreading "minimum virus"

toolchain version used will be defined outside of go.mod ideally, such as by installing a newer compatible go toolchain to ci/cd/development env.

Failing that, toolchain directive should be used instead of go directive for bumping versions to not cascade minimum versions to importing dependencies.

toolchain directive, in contrast to the go directive, applies only to the current module (the one defined by the go.mod file). It suggests the toolchain to be used when in that very module, and doesn't propagate to other modules.

High profile repos that have removed/reduced minimum go patch version per user requests

Being proactive to prevent following from reoccuring

Originally posted by @kaovilai in eb1f9a3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant